.\" A man page for ipa-server-install
.\" Copyright (C) 2008-2017  FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-server-install" "1" "Feb 17 2017" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-server\-install \- Configure an IPA server
.SH "SYNOPSIS"
ipa\-server\-install [\fIOPTION\fR]...
.SH "DESCRIPTION"
Configures the services needed by an IPA server. This includes setting up a Kerberos Key Distribution Center (KDC) and a Kadmin daemon with an LDAP back\-end, configuring Apache, configuring NTP and optionally configuring and starting an LDAP-backed DNS server. By default a dogtag\-based CA will be configured to issue server certificates.

.SH "OPTIONS"
.SS "BASIC OPTIONS"
.TP
\fB\-r\fR \fIREALM_NAME\fR, \fB\-\-realm\fR=\fIREALM_NAME\fR
The Kerberos realm name for the new IPA deployment.

It is strongly recommended to \fBuse an upper-cased name of the primary DNS domain name\fR of your IPA deployment. You will not be able to establish trust with Active Directory unless the realm name is the upper-cased domain name.

The realm name cannot be changed after the installation.
.TP
\fB\-n\fR \fIDOMAIN_NAME\fR, \fB\-\-domain\fR=\fIDOMAIN_NAME\fR
The primary DNS domain of the IPA deployment, e.g. example.com. This DNS domain should contain the SRV records generated by the IPA server installer. The specified DNS domain must not contain DNS records of any other LDAP or Kerberos based management system (like Active Directory or MIT Kerberos).

It is strongly recommended to \fBuse a lower-cased name of the IPA Kerberos realm name.\fR

The primary DNS domain name cannot be changed after the installation.
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR
The password to be used by the Directory Server for the Directory Manager user.
.TP
\fB\-a\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR=\fIADMIN_PASSWORD\fR
The password for the IPA admin user.
.TP
\fB\-\-mkhomedir\fR
Create home directories for users on their first login.
.TP
\fB\-\-hostname\fR=\fIHOST_NAME\fR
The fully\-qualified DNS name of this server.
.TP
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
The IP address of this server. If this address does not match the address the host resolves to and \-\-setup\-dns is not selected, the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts.
This option can be used multiple times to specify more IP addresses of the server (e.g. multihomed and/or dualstacked server).
.TP
Configure chronyd to use this NTP server. This option can be used multiple times and it is used to specify exactly one time server.
.TP
\fB\-\-ntp\-server\fR=\fINTP_SERVER\fR
Configure chronyd to use this NTP server. This option can be used multiple times and it is used to specify exactly one time server.
.TP
\fB\-\-ntp\-pool\fR=\fINTP_SERVER_POOL\fR
Configure chronyd to use this NTP server pool. This option is meant to be pool of multiple servers resolved as one host name. This pool's servers may vary but pool address will be still same and chrony will choose only one server from this pool.
.TP
\fB\-N\fR, \fB\-\-no\-ntp\fR
Do not configure NTP client (chronyd).
.TP
\fB\-\-idstart\fR=\fIIDSTART\fR
The starting user and group id number (default random).
.TP
\fB\-\-idmax\fR=\fIIDMAX\fR
The maximum user and group id number (default: idstart+199999). If set to zero, the default value will be used.
.TP
\fB\-\-no-hbac-allow\fR
Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production.
.TP
\fB\-\-ignore-topology-disconnect\fR
Ignore errors reported when IPA server uninstall would lead to disconnected topology.
.TP
\fB\-\-ignore-last-of-role\fR
Ignore errors reported when IPA server uninstall would lead to removal of last CA/DNS server or DNSSec master.
.TP
\fB\-\-no\-ui\-redirect\fR
Do not automatically redirect to the Web UI.
.TP
\fB\-\-ssh\-trust\-dns\fR
Configure OpenSSH client to trust DNS SSHFP records.
.TP
\fB\-\-no\-ssh\fR
Do not configure OpenSSH client.
.TP
\fB\-\-no\-sshd\fR
Do not configure OpenSSH server.
.TP
\fB\-\-subid\fR
Configure SSSD as data source for subid.
.TP
\fB\-\-skip\-mem\-check\fR
Skip checking for minimum required memory
.TP
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed.
.TP
\fB\-U\fR, \fB\-\-unattended\fR
An unattended installation that will never prompt for user input.
.TP
\fB\-\-dirsrv\-config\-file\fR
The path to LDIF file that will be used to modify configuration of dse.ldif during installation of the directory server instance.

.SS "CERTIFICATE SYSTEM OPTIONS"
.TP
\fB\-\-external\-ca\fR
Generate a CSR for the IPA CA certificate to be signed by an external CA.
.TP
\fB\-\-external\-ca\-type\fR=\fITYPE\fR
Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include the template name required by Microsoft Certificate Services (MS CS) in the generated CSR (see \fB\-\-external\-ca\-profile\fR for full details).

.TP
\fB\-\-external\-ca\-profile\fR=\fIPROFILE_SPEC\fR
Specify the certificate profile or template to use at the external CA.

When \fB\-\-external\-ca\-type\fR is "ms-cs" the following specifiers may be used:

.RS
.TP
\fB<oid>:<majorVersion>[:<minorVersion>]\fR
Specify a certificate template by OID and major version, optionally also specifying minor version.
.TP
\fB<name>\fR
Specify a certificate template by name. The name cannot contain any \fI:\fR characters and cannot be an OID (otherwise the OID-based template specifier syntax takes precedence).
.TP
\fBdefault\fR
If no template is specified, the template name "SubCA" is used.
.RE

.TP
\fB\-\-external\-cert\-file\fR=\fIFILE\fR
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
.TP
\fB\-\-random\-serial\-numbers\fR
Enable Random Serial Numbers (RSN) and certificate pruning. This option is enabled by default if the system is installed with a 389-ds version that supports LMDB or if another CA in the topology is configured with Random Serial Numbers. This option remains present to avoid issues with automation. In mixed environments where existing CA servers are configured with sequential numbers, it is recommended to replace the sequential servers as soon as reasonably possible.
.TP
\fB\-\-no\-pkinit\fR
Disables pkinit setup steps.
.TP
\fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR
File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
.TP
\fB\-\-http\-cert\-file\fR=\fIFILE\fR
File containing the Apache Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
.TP
\fB\-\-pkinit\-cert\-file\fR=\fIFILE\fR
File containing the Kerberos KDC SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
.TP
\fB\-\-dirsrv\-pin\fR=\fIPIN\fR
The password to unlock the Directory Server private key.
.TP
\fB\-\-http\-pin\fR=\fIPIN\fR
The password to unlock the Apache Server private key.
.TP
\fB\-\-pkinit\-pin\fR=\fIPIN\fR
The password to unlock the Kerberos KDC private key.
.TP
\fB\-\-dirsrv\-cert\-name\fR=\fINAME\fR
Name of the Directory Server SSL certificate to install.
.TP
\fB\-\-http\-cert\-name\fR=\fINAME\fR
Name of the Apache Server SSL certificate to install.
.TP
\fB\-\-pkinit\-cert\-name\fR=\fINAME\fR
Name of the Kerberos KDC SSL certificate to install.
.TP
\fB\-\-ca\-cert\-file\fR=\fIFILE\fR
File containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC certificates. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. Use this option if the CA certificate is not present in the certificate files.
.TP
\fB\-\-pki\-config\-override\fR=\fIFILE\fR
File containing overrides for CA and KRA installation.
.TP
\fB\-\-ca\-subject\fR=\fISUBJECT\fR
The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
.TP
\fB\-\-subject\-base\fR=\fISUBJECT\fR
The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
.TP
\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
.TP
\fB\-\-key\-type\-size\fR=\fITYPE:SIZE\fR
Specifies the key type and size for the HTTP, LDAP, PKINIT and RA certificates (if configured with a CA). The format is type:size where type is the type of key and size is the number represents the number of bits. Currently type only supports RSA keys. The sizes will depend on what the crypto engines and CA profiles support. Typical RSA sizes are 2048, 3072, 4096, 7168 and 8192. The default is rsa:2048.

.SS "HSM OPTIONS"
.TP
\fB\-\-token\-name\fR=\fITOKEN_NAME\fR
The PKCS#11 token name if using an HSM to store and generate private keys.
.TP
\fB\-\-token\-library\-path\fR=\fITOKEN_LIBRARY_PATH\fR
The full path to the PKCS#11 shared library needed to access the HSM device.
.TP
\fB\-\-token\-password\fR=\fITOKEN_PASSWORD\fR
The PKCS#11 token password for the HSM.
.TP
\fB\-\-token\-password\-file\fR=\fITOKEN_PASSWORD_FILE\fR
The full path to a file containing the PKCS#11 token password.

.SS "SECRET MANAGEMENT OPTIONS"
.TP
\fB\-\-setup\-kra\fR
Install and configure a KRA on this server.

.SS "DNS OPTIONS"
IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology.

The DNS component in IPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.

.TP
\fB\-\-setup\-dns\fR
Configure an integrated DNS server, create DNS zone specified by \-\-domain, and fill it with service records necessary for IPA deployment.
In cases where the IPA server name does not belong to the primary DNS domain and is not resolvable using DNS, create a DNS zone containing the IPA server name as well.

This option requires that you either specify at least one DNS forwarder through
the \fB\-\-forwarder\fR option or use the \fB\-\-no\-forwarders\fR option.

Note that you can set up a DNS at any time after the initial IPA server install by running
.B ipa-dns-install
(see
.BR ipa-dns-install (1)).
IPA DNS cannot be uninstalled.

.TP
\fB\-\-forwarder\fR=\fIIP_ADDRESS\fR
Add a DNS forwarder to the DNS configuration. You can use this option multiple
times to specify more forwarders, but at least one must be provided, unless
the \fB\-\-no\-forwarders\fR option is specified.
.TP
\fB\-\-no\-forwarders\fR
Do not add any DNS forwarders. Root DNS servers will be used instead.
.TP
\fB\-\-auto\-forwarders\fR
Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS.
.TP
\fB\-\-forward\-policy\fR=\fIfirst|only\fR
DNS forwarding policy for global forwarders specified using other options.
Defaults to first if no IP address belonging to a private or reserved ranges is
detected on local interfaces (RFC 6303). Defaults to only if a private
IP address is detected.
.TP
\fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
The reverse DNS zone to use. This option can be used multiple times to specify multiple reverse zones.
.TP
\fB\-\-no\-reverse\fR
Do not create reverse DNS zone.
.TP
\fB\-\-auto\-reverse\fR
Try to resolve reverse records and reverse zones for server IP addresses. If neither is resolvable, creates the reverse zones.
.TP
\fB\-\-zonemgr\fR
The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN
.TP
\fB\-\-no\-host\-dns\fR
Do not use DNS for hostname lookup during installation.
.TP
\fB\-\-no\-dns\-sshfp\fR
Do not automatically create DNS SSHFP records.
.TP
\fB\-\-no\-dnssec\-validation\fR
Disable DNSSEC validation on this server.
.TP
\fB\-\-allow\-zone\-overlap\fR
Allow creation of (reverse) zone even if the zone is already resolvable. Using this option is discouraged as it result in later problems with domain name resolution.
.TP
\fB\-\-dns\-over\-tls\fR
Configure DNS over TLS.
.TP
\fB\-\-dot\-forwarder\fR=\fIIP_ADDRESS#HOSTNAME\fR
Add a DNS-over-TLS-enabled forwarder in the format of ip#hostname, e.g.: 1.2.3.4#dns.example.com. This option can be used multiple times.
.TP
\fB\-\-dns\-over\-tls\-cert\fR=\fIFILE\fR
Certificate to use for DNS over TLS. If empty, a new certificate will be requested from IPA CA.
.TP
\fB\-\-dns\-over\-tls\-key\fR=\fIFILE\fR
Key for the certificate specified in --dns-over-tls-key.
.TP
\fB\-\-dns\-policy\fR=\fIrelaxed|enforced\fR
Encrypted DNS policy. If enforced, DNS communications will only be allowed through the configured encrypted DNS methods. If relaxed,
unencrypted DNS queries will be allowed.

.SS "SID GENERATION OPTIONS"
.TP
\fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
The NetBIOS name for the IPA domain. If not provided, this is determined
based on the leading component of the DNS domain name. Running
ipa\-adtrust\-install for a second time with a different NetBIOS name will
change the name. Please note that changing the NetBIOS name might break
existing trust relationships to other domains.
.TP
\fB\-\-rid-base\fR=\fIRID_BASE\fR
First RID value of the local domain. The first POSIX ID of the local domain will
be assigned to this RID, the second to RID+1 etc. See the online help of the
idrange CLI for details.
.TP
\fB\-\-secondary-rid-base\fR=\fISECONDARY_RID_BASE\fR
Start value of the secondary RID range, which is only used in the case a user
and a group share numerically the same POSIX ID. See the online help of the
idrange CLI for details.

.SS "AD TRUST OPTIONS"
.TP
\fB\-\-setup\-adtrust\fR
Configure AD Trust capability.
.TP
\fB\-\-enable\-compat\fR
Enables support for trusted domains users for old clients through Schema Compatibility plugin.
SSSD supports trusted domains natively starting with version 1.9. For platforms that
lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi\-nis package
needs to be installed and schema\-compat\-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and groups will be
available under \fBcn=users,cn=compat,$SUFFIX\fR and \fBcn=groups,cn=compat,$SUFFIX\fR trees.
SSSD will normalize names of users and groups to lower case.
.IP
In addition to providing these users and groups through the compat tree, this option enables
authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN
\fBuid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX\fR.
.IP
LDAP authentication performed by the compat tree is done via PAM '\fBsystem\-auth\fR' service.
This service exists by default on Linux systems and is provided by pam package as /etc/pam.d/system\-auth.
If your IPA install does not have default HBAC rule 'allow_all' enabled, then make sure
to define in IPA special service called '\fBsystem\-auth\fR' and create an HBAC
rule to allow access to anyone to this rule on IPA masters.
.IP
As '\fBsystem\-auth\fR' PAM service is not used directly by any other
application, it is safe to use it for trusted domain users via compatibility
path.

.SS "UNINSTALL OPTIONS"
.TP
\fB\-\-uninstall\fR
Uninstall an existing IPA installation.
.TP
\fB\-U\fR, \fB\-\-unattended\fR
An unattended uninstallation that will never prompt for user input.

.SH "DEPRECATED OPTIONS"
.TP
\fB\-P\fR \fIMASTER_PASSWORD\fR, \fB\-\-master\-password\fR=\fIMASTER_PASSWORD\fR
The kerberos master password (normally autogenerated).

.SH "EXIT STATUS"
0 if the (un)installation was successful

1 if an error occurred

.SH "SEE ALSO"
.BR ipa-dns-install (1)
.BR ipa-adtrust-install (1)
